You are not logged in.

#1 2024-02-08 12:51:08

skypher
Member
Registered: 2024-02-08
Posts: 7

Registration security issue

I've had to reregister for the forums and noticed that it requires you to run a shell command by copying and pasting it to a terminal and then inserting the output.

I think this creates a dangerous precedent. Users, especially newbies, shouldn't be taught to run any shell command from a website.

If this is some kind of captcha, I would suggest switching to another method.

Last edited by skypher (2024-02-08 12:52:05)

Offline

#2 2024-02-08 13:23:38

V1del
Forum Moderator
Registered: 2012-10-16
Posts: 21,104

Re: Registration security issue

It is a captcha and it has been very effective at keeping out bot accounts.

I consider the actual test as such quite useful. The logical precedence that newbies shouldn't blindly copy paste commands could be ammended and telling them  to use this as an excercise to understand what they are executing exactly. Ultimately everyone should understand the commands they are pasting into a teminal and this is no different.In terms of random commands to paste and going by examples some other webpages give this is quite tame and is a read only access on information any Archer has on their system  and should be able to provide anyway.

Last edited by V1del (2024-02-08 13:24:58)

Offline

#3 2024-02-08 13:48:29

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 29,355
Website

Re: Registration security issue

I second the above, to the point that the following bears repeating:

V1del wrote:

... use this as an excercise to understand what they are executing

That said, there is a flaw in assuming there are no exceptions to the generally good idea here:

skypher wrote:

Users... shouldn't be taught to run any shell command from a website.

Taken to it's logical extreme and without any exceptions, then our whole installation guide (along with the rest of our wiki) should be removed and users just left to figure it all out on their own.

Our installation guide gives users commands to use that will wipe their hard drive of any current OS, repartition that drive, install software, much of which runs as root.  Doesn't this sound pretty ghastly compared to a captcha that has a user munge some data including the date and kernel version into a forum entry code with no resulting side-effects on the host system?

No one should copy and paste commands from random websites.  But if bbs.archlinux.org is considered a random / untrustworthy website, why would one seek to register here anyways?

Last edited by Trilby (2024-02-08 13:52:23)


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#4 2024-02-08 13:58:14

Raynman
Member
Registered: 2011-10-22
Posts: 1,537

Re: Registration security issue

And with the first question you ask after registering, it's highly likely you're gonna be given shell commands to run to diagnose/solve your problem. (edit: Trilby edited this point in already.)

BTW the actual question is "what is the output of ..."; running it is just one (obvious/easy) way to determine the answer.

Last edited by Raynman (2024-02-08 13:59:18)

Offline

Board footer

Powered by FluxBB